AEPD (Spain) - PS/00189/2021

From GDPRhub
AEPD (Spain) - PS/00189/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 14.09.2021
Fine: 56.000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00189/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA fined Vodafone €56,000 for failing to authenticate a data subject, thereby allowing a fraudulent contracting for multiple new telephone lines. In this regard, Vodafone processed personal data without a legal basis according to Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant has been a victim of identity theft with the data being used to conclude multiple contracts on new telephone lines with Vodafone. Vodafone, however, did not authenticate the complainant's identity but allowed the third party to register new telephone lines in the complainant's name. In this regard, the complainants personal data was incorporated in the information systems of Vodafone without them having legitimately contracted.

Holding[edit | edit source]

The DPA found that Vodafone failed to deploy a minimum diligence for verifying the identity of the contracting party, allowing the third party to fraudulently contract with them in the name of the complainant. Therefore, Vodafone had no legal basis to collect and subsequently process the complainant's personal data and violated Article 6(1) GDPR.

Due to the lack of respect for the principle of legality and the aggravating factors of intention and negligence regarding the processing of basic identifiers of the data subject the AEPD determined a fine of €70,000 reduced to €56,000 because of prior voluntary payment by Vodafone.

Comment[edit | edit source]

This fine is only a part of multiple decisions issued by the AEPD on closely connected matters. For further information see also:

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/8








     Procedure No.: PS / 00189/2021

       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT

                                    VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


                                  BACKGROUND


FIRST: On July 19, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against Vodafone Spain,
S.A.U. with NIF A80907397 which is transcribed below:

<<
Procedure number: PS / 00189/2021

                                  BACKGROUND



FIRST: D. A.A.A., in the name and on behalf of Mrs. B.B.B. (hereinafter, the
claimant) on December 28, 2020, he filed a claim with the Agency
Spanish Data Protection. The claim is directed against VODAFONE
SPAIN, S.A.U. with NIF A80907397 (hereinafter, the claimed one).


The claimant states that she has been a victim of identity theft by
from a third party, to register new telephone lines next to high-speed terminals
spectrum. In total five lines and four terminals.

Provide the following documentation:

- Report to the Police for hiring telephone lines using your data
personal.
- Copy of invoices requested from this entity associated with the contracting
irregular, with your ID but in the name of the third party.


SECOND: Prior to the admission for processing of this claim, a
transferred the defendant on February 2, 2021, in accordance with the provisions
in article 65.4 of the Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD), in the
actions with reference E / 00858/2021. The notification is made electronically,

and figure delivered on February 3, 2021.

The respondent has not responded to the information request that was sent to her.

THIRD: In accordance with the provisions of article 65.2 of the Organic Law
3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), in

On April 23, 2021, the claim admission agreement is signed.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








                            FOUNDATIONS OF LAW

                                             I


        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


                                             II

      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of "legality, loyalty and
transparency". The precept provides:


      "1. The personal data will be:
         a) Treaties in a lawful, loyal and transparent manner in relation to the
             interested party (<< legality, loyalty and transparency >>); "

        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the

cases in which the processing of third party data is considered lawful:

        "1. The treatment will only be lawful if at least one of the following is met
terms:
      a) the interested party gave their consent for the processing of their data

      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;
      (…) "


      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for
the imposition of administrative fines ”, it states:

      "5. Violations of the following provisions will be sanctioned, in accordance with

with section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "

       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

considered very serious ”provides:

      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:


        (…)
       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "



                                            III

      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it processed the
personal data of the claimant without having any legitimacy to do so. The

The claimant's personal data were incorporated into the information systems
of the company, without having proven that he had legitimately hired,
have legitimacy for the collection and subsequent processing of your data
personal, or there is any other cause that makes the treatment carried out lawful.

       Based on the foregoing, in the case analyzed, it remains in

questioned the diligence used by the respondent to identify the
person who contracted on behalf of the claimant.
       Well, the respondent did not respond to the request made by this
Agency on February 2, 2021 and notified on the 3rd of the same month and year.


        Ultimately, the respondent has not provided a document or evidence
any evidence that the entity, in such a situation, had deployed the
minimum diligence required to verify that indeed your interlocutor was the one
claimed to flaunt.


       Respect for the principle of legality that is at the core of fundamental right
protection of personal data requires that it be proven that the
responsible for the treatment deployed the necessary diligence to prove that
extreme. If this Agency does not act like this - and if this Agency does not demand it, it is incumbent upon
for compliance with the regulations governing the right to data protection of
personal character - the result would be to empty the principle of legality of content.


                                            IV

        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:


           "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "


       "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








administrative and its amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question

        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the person in charge or in charge of the treatment
        to alleviate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge or the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;
         f) the degree of cooperation with the supervisory authority in order to establish

        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;
        i) when the measures indicated in article 58, paragraph 2, have been

        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

         "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:


  a) The continuing nature of the offense.

  b) The linking of the activity of the offender with the performance of data processing
personal.


  c) The benefits obtained as a result of the commission of the offense.

  d) The possibility that the affected person's conduct could have led to the commission of
the offense.

  e) The existence of a merger by absorption process after the commission of the

infringement, which cannot be attributed to the absorbing entity.

  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine to impose
in the present case, the claimed party is considered responsible for an infringement
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent
the following factors.


      As aggravating factors the following:

- Intentionality or negligence in the offense (article 83.2 b).

- Basic personal identifiers are affected (name, data

bank, the line identifier) (article 83.2 g).

     That is why it is considered appropriate to graduate the sanction to impose on the claimed and
set it at the amount of € 70,000 for the violation of article 6.1 of the RGPD.

       Therefore, based on the foregoing,


       By the Director of the Spanish Data Protection Agency,

       HE REMEMBERS:



        1. START SANCTIONING PROCEDURE for VODAFONE ESPAÑA,
           S.A.U., with NIF A80907397, for the alleged violation of article 6.1. of the
           RGPD typified in article 83.5.a) of the aforementioned RGPD.


        2. APPOINT Mr. R.R.R. as instructor. and as secretary to Ms. S.S.S.,
           indicating that any of them may be challenged, if applicable,
           in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1
           October, of the Legal Regime of the Public Sector (LRJSP).


        3. INCORPORATE to the sanctioning file, for evidentiary purposes, the
           claim filed by the claimant and its attached documentation, the
           informative requirements that the Subdirectorate General for Inspection of
           Data sent to the claimed entity in the preliminary investigation phase and
           their respective acknowledgments of receipt.


        4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
           October, of the Common Administrative Procedure of the Administrations
           Public, the penalty that may correspond would be 70,000 euros
           (sixty thousand euros), without prejudice to what results from the instruction.


        5. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
           A80907397, granting you a hearing period of ten business days to
           to make the allegations and present the evidence that it considers

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








           convenient. In your statement of allegations you must provide your NIF and the
           procedure number at the top of this
           document.


If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).


In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be

established at 56,000 euros, resolving the procedure with the imposition of this
sanction.

In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,

the sanction would be established at 56,000 euros and its payment will imply the termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
set at 42,000 euros.


In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.

In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 56,000 euros or 42,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears
in the heading of this document and the cause of reduction of the amount to which

is welcomed.

Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.


The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8








After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.


Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.

Mar Spain Martí
Director of the Spanish Agency for Data Protection "


SECOND: It is clear that the Initiation Agreement was notified on July 26, 2021,
proceeded on August 9, 2021 to pay the sanction in the amount of 56,000
euros making use of the reduction provided for in the Initiation Agreement, stating:
"That Vodafone has ordered the payment of € 56,000 corresponding to the infraction
initially planned, taking into account the 20% reduction for the payment

voluntary sanction, and in this act desists and renounces any action or remedy
in administrative proceedings in relation to this factual assumption, in accordance with
established in art. 85 of the LPACAP ”.

THIRD: The payment made entails the waiver of any action or recourse in progress.
against the sanction, in relation to the facts referred to in the

Initiation Agreement.

                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.


                                            II

       Article 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter LPACAP), under
The heading "Termination of sanctioning procedures" provides the following:


       "1. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceeds.
       2. When the sanction is solely of a pecuniary nature or it fits

impose a pecuniary and a non-pecuniary sanction but it has been justified
the inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

       3. In both cases, when the penalty is solely of a pecuniary nature,
the competent body to resolve the procedure will apply reductions of, at
less, 20% on the amount of the proposed sanction, these being cumulative
each. The aforementioned reductions must be determined in the notification of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8








initiation of the procedure and its effectiveness will be conditional on the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.

       The percentage of reduction foreseen in this section may be increased
regulations. "

In accordance with the above, the Director of the Spanish Agency for the Protection of

Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00189/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. with
NIF A80907397.

       In accordance with the provisions of article 50 of the LOPDGDD, the

This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which puts an end to the administrative procedure as
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, interested parties may

file an administrative contentious appeal before the Contentious Chamber-
administrative authority of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,
regulator of the Contentious-Administrative Jurisdiction, within a period of two months to
count from the day following the notification of this act, as provided in the

Article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection



























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es